b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                   REVIEW OF NCUA\xe2\x80\x99S COMPLIANCE\n                        WITH OMB M-06-16\n                     PROTECTION OF SENSITIVE\n                       AGENCY INFORMATION\n\n              Report #OIG-07-01       February 7, 2007\n\n\n\n\n                         William A. DeSarno\n                          Inspector General\n\n\n    Released by:                          Auditor-in-Charge:\n\n\n\n    James Hagen                          Tammy F. Rapp, CPA, CISA\n    Asst IG for Audits                   Sr Information Technology Auditor\n\x0c                             TABLE OF CONTENTS\n\n\n\n\nSection                                                                                      Page\n\n          EXECUTIVE SUMMARY                                                                    1\n\n          INTRODUCTION                                                                         2\n\n          BACKGROUND                                                                           2\n\n          OBJECTIVE                                                                            3\n\n          SCOPE & METHODOLOGY                                                                  3\n\n          RESULTS                                                                              4\n\n   A        Confirm identification of personally identifiable information protection needs     4\n\n   B        Verify adequacy of organizational policy                                           8\n\n  C         Implement protections for PII transported/stored offsite                           8\n\n  D         Implement protections for remote access to PII                                     9\n\n   E        Encrypt all data on mobile computers/devices                                      10\n\n   F        Allow remote access only with two-factor authentication                           13\n\n  G         Use a time-out after 30 minutes inactivity                                        13\n\n  H         Log all data extracts holding sensitive data and verify erased within 90 days     13\n\nAppendix\n   A     OMB Memorandum M-06-16\n\n   B      NCUA Management Comments\n\x0c       REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                       Report #OIG-06-10\n\n\n\n\n                                          EXECUTIVE SUMMARY\nThe National Credit Union Administration (NCUA) Office of Inspector General\n(OIG) performed a limited scope review assessing the NCUA\xe2\x80\x99s actions to ensure\nthat personally identifiable information (PII) and sensitive information is safeguarded,\nin accordance with the Office of Management and Budget (OMB) Memorandum M-\n06-16, \xe2\x80\x9cProtection of Sensitive Agency Information.\xe2\x80\x9d1\n\nTo determine compliance with OMB M-06-16, we interviewed key agency officials\nresponsible for privacy protection, reviewed applicable policies and procedures\nrelated to privacy, inquired about outstanding issues identified during the 2006\nFederal Information Security Management Act (FISMA) audit, and compared\nencryption products used at NCUA with the National Institute of Standards and\nTechnology\xe2\x80\x99s (NIST) Federal Information Processing Standards 140-2 validated\nproduct list. We performed limited tests on control procedures identified during this\nreview.\n\nAs a result of this review, the OIG determined that NCUA needs to strengthen its\nprivacy program to ensure that PII and sensitive data are appropriately protected.\nMost importantly, NCUA needs to ensure that member financial and personal data is\nprotected from potential unauthorized access. Although we identified several\nweaknesses in the actions NCUA has taken to protect PII and sensitive information,\nwe determined that NCUA is making progress to strengthen its policies and\nprocedures for protecting both.\n\n\n\n\n1\n    http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf\n\n\n\n\n                                                                1\n\x0c       REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                       Report #OIG-06-10\n\n\nINTRODUCTION:\n\nFollowing numerous incidents at various Federal agencies involving the\ncompromise or loss of sensitive personal information, OMB issued memorandum\nM-06-16 on June 23, 2006. That memorandum required agencies to take\nspecific actions to protect PII and sensitive information as outlined in NIST\nSpecial Publication 800-53 and 800-53A. In addition, OMB recommended that\nagencies take four additional actions to protect sensitive agency information.\nOMB requested that agencies ensure that the safeguards outlined in M-06-16 be\nreviewed and in place within 45 days from the issuance of the memorandum\n(August 7, 2006). Inspectors General were also requested to conduct\na subsequent review to asses their respective agency\xe2\x80\x99s compliance.\n\nThe President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) and Executive Council\non Integrity and Efficiency (ECIE) jointly developed a data collection instrument\n(DCI) and review guide to assist Inspectors General in determining their agency\xe2\x80\x99s\ncompliance with OMB Memorandum M-06-16. The review guide and DCI were\nclosely linked to the actions OMB requested of agencies to protect PII and\nsensitive data and were likewise used to perform this limited scope review.\n\n\nBACKGROUND:\n\nPII is defined by OMB in M-06-19 as:\n\n             \xe2\x80\x9c[a]ny information about an individual maintained by an agency, including, but\n             not limited to, education, financial transactions, medical history, and criminal\n             or employment history and information which can be used to distinguish or\n             trace an individual's identity, such as their name, social security number, date\n             and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including\n             any other personal information which is linked or linkable to an individual.\xe2\x80\x9d2\n\nVarious statutes and authorities address the need to protect PII and other sensitive\ninformation held by government agencies, including the Federal Information Security\nManagement Act (FISMA), the E-Government Act of 2002 (E-Gov Act), the Privacy\nAct of 1974, as amended, and OMB Circular A-130, Management of Federal\nInformation Resources. In particular, FISMA requires agencies to have a security\nprogram and controls for systems to protect sensitive information.\n\nFISMA also requires agencies to implement standards and guidelines developed by\nthe NIST. Relevant standards are set forth in the following NIST publications:\n\n\n\n2\n    OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for\n    Security in Agency Information Technology Investments, July 14, 2006\n\n\n\n\n                                                                2\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\n   \xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, Standards\n       for Security Categorization of Federal Information and Information Systems,\n       February 2004;\n\n   \xe2\x80\xa2   FIPS Publication 200, Minimum Security Requirements for Federal\n       Information and Information Systems, March 2006; and\n\n   \xe2\x80\xa2   FIPS Publication 201, Personal Identity Verification for Federal Employees\n       and Contractors, February 2005.\n\nAdditional guidance on protecting PII and other sensitive information is described in\nthe NIST Special Publication (SP) 800 series. Among them, SP 800-53,\nRecommended Security Controls for Federal Information Systems, and SP 800-53A,\nGuide for Assessing the Security Controls in Federal Information Systems, set forth\nkey criteria for assessing compliance with FISMA requirements. This guidance forms\nthe basis for the OMB M-06-16 Security Checklist covering protection of remote\ninformation. OMB Memorandum M-06-16 conveys OMB\xe2\x80\x99s intent that Federal\nagencies implement the checklist and take specific required actions for the protection\nof sensitive information to compensate for the lack of physical security controls when\ninformation is removed or accessed from outside the agency location.\n\n\nOBJECTIVE:\n\nThe objective of this limited scope review was to assess the NCUA\xe2\x80\x99s actions to\nensure PII and other sensitive information are safeguarded, in accordance with\nOMB Memorandum M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information.\xe2\x80\x9d\n\n\nSCOPE & METHODOLOGY:\n\nTo determine compliance with OMB M-06-16, we interviewed key agency officials\nresponsible for privacy protection including the Senior Privacy Official, the Chief\nInformation Officer, the Deputy Chief Information Officer, and the Senior\nInformation Security Officer. We also reviewed applicable policies and\nprocedures related to privacy, inquired about outstanding issues identified during\nthe FISMA audit, and compared encryption products used at NCUA with NIST\xe2\x80\x99s\nFIPS 140-2 validated product list. We performed limited tests on control\nprocedures identified during this review due to the limited time available to\nperform this review simultaneous with the annual FISMA audit. In addition, the\nNCUA was in the process of implementing many related procedures during and\nsubsequent to our review which made it difficult to test during field work.\n\nWe conducted our work from August 8, 2006 through September 22, 2006. This\nreport provides a snapshot of NCUA\xe2\x80\x99s progress in meeting OMB M-06-16 as of\nAugust 31, 2006.\n\n\n                                          3\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\n\n\nThis limited scope review was performed in accordance with the Quality Standards\nfor Inspections issued by the PCIE/ECIE in January 2005.\n\n\nRESULTS:\n\nA. Confirm identification of PII and sensitive information protection needs\n\nThe NCUA needs to improve its process for identifying PII and sensitive\ninformation protection needs. For example, under the Privacy Act, NCUA\nidentifies personal information it collects and maintains in its Systems of Records\n(SOR). However, during our review we identified some personal information\nmaintained in NCUA\xe2\x80\x99s SOR that the agency did not, during the certification\nprocess, designate in the security categorization of \xe2\x80\x9cmoderate,\xe2\x80\x9d as we believe it\nshould have been. While we found that NCUA\xe2\x80\x99s privacy related policies were\noutdated, we also learned that many were in the process of revision. We also\ndetermined that the agency did not specifically identify credit union member\nshare and loan data obtained during a credit union examination as PII when, in\nour opinion, they should have been. We further confirmed that NCUA has not\nperformed any Privacy Impact Assessments (PIA) for existing systems.\n\nThe NCUA Senior Privacy Officer is in the process of taking positive steps to address\nprivacy responsibilities within the agency. For example, as mentioned above, at the\ntime of this review the agency was in the process of revising both its SOR, which had\nnot been updated since February 2000, as well as NCUA Instruction 3226.1,\n\xe2\x80\x9cProcedures for Implementing Provisions of the Privacy Act of 1974,\xe2\x80\x9d which had not\nbeen revised since its issuance in 1976. In addition, the Senior Privacy Officer is\nconsidering proposing the issuance of a new agency instruction that specifically\naddresses information security. The Senior Privacy Officer also plans to perform a\nPIA for new agency identification cards and is considering whether additional PIAs\nare required. Finally, the Senior Privacy Officer has recommended to the Office of\nHuman Resources (OHR) and the Office of the Chief Information Officer (OCIO) that\nan appropriate training program in privacy and information security for agency\nemployees be devised and implemented.\n\nWe agree with the Senior Privacy Officer that credit union member data does not\ncome within the definition of a SOR under the Privacy Act because the method of\ndata retrieval is based on a charter number, not a member identifier.\nNevertheless, we found that downloads obtained during a credit union\nexamination contain PII as defined by OMB. Likewise, while NCUA has indicated\nthat the AIRES downloads containing credit union member data require\nprotection, it has not specifically developed a privacy policy articulating\nprotections for this information. Credit union member data is vulnerable to\nunauthorized access or loss because it is stored in multiple formats in NCUA\nexaminers\xe2\x80\x99 private homes across the country. Sensitive credit union member\n\n\n                                          4\n\x0c    REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                    Report #OIG-06-10\n\n\ndata not identified as PII may not have adequate controls in place for its\nprotection from unauthorized use. Consequently, the loss of this data could be\nused for identity theft.\n\nNCUA has performed FIPS 199 categorizations of IT systems. However, there\nneeds to be an improved process that compares information that may be\nidentified in NCUA\xe2\x80\x99s SOR with the FIPS 199 categorizations to ensure that all PII\nand sensitive data are identified. For example, we identified PII in the\nController\xe2\x80\x99s Accounting System (CAS 3 ) that were not ranked moderate.\nAlthough the overall confidentiality ranking for CAS was moderate, not all PII was\nidentified within CAS as moderate. Some examples of PII not identified as\nrequiring moderate protection includes names, SSN, account numbers, routing\nnumbers, payment information, personnel information, etc. While certification\nand accreditation activities have been completed or are in process, a formal\nconsideration of privacy has not occurred, resulting in some PII data not being\nidentified during the categorization process which could result in inadequate\ncontrols over its protection.\n\nLast year\xe2\x80\x99s FISMA evaluation noted that completion of the PIA was required as\npart of Certification and Accreditation (C&A) requirements. However, the NCUA\nhas still not developed a PIA. NCUA needs to perform PIAs to ensure all PII data is\naccurately identified.\n\nAs shown in the excerpt from management\xe2\x80\x99s response to the 2006 FISMA audit report 4 ,\nNCUA opined that the trigger for developing PIAs has not yet occurred.\n\n          \xe2\x80\x9cManagement acknowledges that the agency is subject to the requirement to\n          prepare PIAs as provided in the E-Government Act. Management\xe2\x80\x99s view is that\n          the requirement to prepare a PIA, required under the E-Government Act that\n          became effective April 17, 2003, is triggered where an agency develops or\n          procures an IT system or changes an existing system by adding new uses or\n          new technologies or significantly changes how information in identifiable form is\n          managed in the system. Generally, a PIA is required where a system change\n          creates new privacy risks.\n\n          NCUA last updated its Systems of Records notice effective in February 2000.\n          See 65 Fed. Reg. 3486 (Jan. 21, 2000). Management\xe2\x80\x99s position is that, with the\n          exception of the new Personnel Security and Identity Management Systems\n          required under the Homeland Security Presidential Directive-12 (HSPD-12), the\n          agency has neither developed nor procured new IT systems nor made a\n          significant change to an existing system that created new privacy risks requiring\n          preparation of a PIA. At this time, the agency is in the process of developing a\n          PIA for these new systems, updating its Systems of Records notice, and\n          preparing related notices and instructions for employees.\n\n3\n Examples of systems included in CAS are financial accounting, procurement, human resources, and travel systems.\n4\n OIG Report to OMB on the National Credit Union Administration\xe2\x80\x99s Compliance with the Federal Information Security Management\nAct 2006, Report #OIG-06-06\n\n\n\n                                                             5\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\n      Management maintains its view that it is not required to prepare and publish a\n      PIA conforming to the requirements of the E-Government Act for IT systems in\n      existence before April 2003 and which have been maintained without significant\n      change. It is our position that our ongoing maintenance of these systems has not\n      had an impact on the privacy risk of those systems. Routine maintenance does\n      not change the basic functions of the programs; it normally entails updates to the\n      user interface, revised edit formulas, etc., which have no bearing on the privacy\n      risk level. Nevertheless, management acknowledges that a review of existing IT\n      systems to ensure compliance with information privacy laws, regulation, and\n      policy is an appropriate and commendable agency aspiration and intends to\n      undertake such review as agency resources permit.\xe2\x80\x9d\n\nThe E-Government Act guides agencies to:\n\n      \xe2\x80\x9cTo conduct a PIA before: developing or procuring IT systems or projects that\n      collect, maintain or disseminate information in identifiable form from or about\n      members of the public or initiating, consistent with the Paperwork Reduction Act,\n      a new electronic collection of information in identifiable form for 10 or more\n      persons (excluding agencies, instrumentalities or employees of the federal\n      government). In general, PIAs are required to be performed and updated as\n      necessary where a system change creates new privacy risks.\xe2\x80\x9d\n\nIn response to management\xe2\x80\x99s comments to the FISMA Report, the OIG stated:\n\n      \xe2\x80\x9cPer the requirements of section 208 of the E-Government Act of 2002,\n      OMB issued guidance to agencies regarding the development of PIAs.\n      The guidance provided by OMB applies to all executive branch\n      departments and agencies. The Act requires agencies to conduct a PIA\n      before developing or procuring IT systems that collect, maintain, or\n      disseminate information in identifiable form from or about member of the\n      public as well when the changes occur in information collection authorities,\n      business processes or other factors affecting the collection and handling\n      of such information. Since the inception of the E-Gov Act, NCUA has\n      implemented several changes to business process and technical solutions\n      that meet the above criteria as changes requiring an update or\n      development of a PIA, including the distribution of external hard drives to\n      store credit union audit data that are stored at the examiners\xe2\x80\x99 homes, an\n      agency-wide update in operating systems (from 2000 to XP), distribution\n      of new notebooks, and partial implementation of sensitive data encryption.\n\n      It is the opinion of the OIG that any one of the above changes constitutes\n      a change of the magnitude that requires the development of a PIA. Based\n      on the identified changes to the methods of collecting, processing, and\n      storing PII with the agency\xe2\x80\x99s IT infrastructure, NCUA should develop a PIA\n      and maintain it on an ongoing basis.\xe2\x80\x9d\n\n\n\n\n                                           6\n\x0c  REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                  Report #OIG-06-10\n\n\nRecommendations:\n\n  1. Update privacy related policies in accordance with the Privacy Act and\n     applicable OMB guidance. Specifically, NCUA\xe2\x80\x99s Systems of Records\n     notice has not been updated since Feb 2000 and the Privacy Instruction\n     has not been updated since its issuance in 1976. The agency has\n     indicated that it is in process of updating its SOR and the Privacy\n     Instruction.\n\n     Management Response: NCUA management issued a revised SOR on\n     December 27, 2006.\n\n     OIG Response: We agree with the action taken by NCUA.\n\n  2. Ensure that NCUA develops a more thorough policy addressing the protection\n     of credit union member data obtained during credit union examinations.\n     Specifically identify CU member data as sensitive PII as required by OMB.\n\n     Management Response: NCUA management agreed to update and\n     consolidate agency instructions.\n\n     OIG Response: We agree with NCUA\xe2\x80\x99s planned actions.\n\n  3. Verify that all sensitive and PII data has been identified by performing\n     PIAs on Moderate and High systems as required by NIST 800-53A and\n     the E-Gov Act. Ensure that sensitive and PII data identified in the\n     agency\xe2\x80\x99s SOR is compared with FIPS 199 categorizations and PIAs.\n\n     Management Response: Although NCUA management disagrees, they\n     \xe2\x80\x9crecognize that conducting PIAs is a worthwhile endeavor, which we\n     intend to undertake, resources permitting.\xe2\x80\x9d\n\n     OIG Response: We maintain that under the E-Government Act of 2002,\n     where OMB issued guidance to agencies regarding the development of\n     PIAs; the guidance provided by OMB applies to all executive branch\n     departments and agencies. The Act requires agencies to conduct a PIA\n     before developing or procuring IT systems that collect, maintain, or\n     disseminate information in identifiable form from or about member of the\n     public as well when the changes occur in information collection authorities,\n     business processes or other factors affecting the collection and handling\n     of such information. However, we agree with the proposed actions by\n     NCUA Management to undertake conducting PIAs.\n\n\n\n\n                                         7\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\nB. Verify adequacy of organizational policy\n\nNCUA\xe2\x80\x99s existing policy does not address information protection needs associated\nwith PII that are accessed remotely or physically removed from agency premises.\nHowever, the Privacy Officer has stated that she is in the process of updating the\npolicy which will incorporate information protection needs for PII accessed or stored\nremotely.\n\nOMB M06-16 states, \xe2\x80\x9cThe policy should address the following specific questions:\n       1. For Personally Identifiable Information physically removed:\n           a. Does the policy explicitly identify the rules for determining whether\n               physical removal is allowed?\n           b. For personally identifiable information that can be removed, does\n               the policy require the information be encrypted and that appropriate\n               procedures, training, and accountability measures are in place to\n               ensure that remote use of this encrypted information does not result\n               in bypassing the protections provided by the encryption?\n\n       2. For Personally Identifiable Information accessed remotely:\n           a. Does the policy explicitly identify the rules for determining whether\n               remote access is allowed?\n           b. When remote access is allowed, does the policy require that this\n              access be accomplished via a virtual private network (VPN)\n              connection established using agency-issued authentication\n              certificate(s) or hardware token?\n           c. When remote access is allowed, does the policy identify the rules for\n              determining whether download and remote storage of the\n              information is allowed? (For example, the policy could permit\n              remote access to a database, but prohibit downloading and local\n              storage of that database.)\xe2\x80\x9d\n\nRecommendation:\n   4. Identify PII and include information protection needs for PII accessed,\n      transported, or stored remotely in agency privacy related policies.\n\n       Management Response: NCUA management agrees.\n\n       OIG Response: We agree.\n\nC. Implement protections for PII transported/stored offsite\n\nNCUA needs to improve protections for PII transported or stored offsite. We\ndetermined that NCUA is lacking a policy specific to PII transported or stored offsite.\n\n\n                                           8\n\x0c       REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                       Report #OIG-06-10\n\n\nDuring the FISMA audit, we identified PII and/or sensitive data that were not\nencrypted prior to being removed from agency premises. NCUA has started to\nimplement some encryption capabilities, but did not consider NIST 140-2 validated\nproducts. We also observed during the FISMA audit that, with the exception of social\nsecurity numbers, examiners do not have a specific awareness of their\nresponsibilities to protect other PII and/or sensitive data.\n\nNCUA is in the process of improving several controls related to remote storage.\nSpecifically, the OIG identified sensitive credit union member data that was being\nstored remotely in an unencrypted format on notebooks, external hard drives, CDs,\nand personal USB drives during the FISMA audit. Subsequent to our review, the\nOffice of the Chief Information Officer (OCIO) forced Windows XP encryption of\nselected folders on NCUA notebook computers and external hard drives.5\n\nDuring NCUA\xe2\x80\x99s bi-annual regional conferences in August 2006, the OCIO began to\ndistribute USB flash drives with encryption capability to examiners with instructions\nrequiring their use for sensitive data, requiring remote storage, and limiting the use of\nCDs. However, we determined the USB drives purchased by NCUA are not 140-2\nvalidated. (See section E for further discussion regarding this topic.) The OCIO also\nrequested examiners to bring CDs containing sensitive data to the Regional\nConference for destruction by heavy duty shredders provided by the OCIO.\n\nRecommendation:\n   5. When updating agency polices and procedures, the agency should ensure\n      that PII transported and/or stored offsite is specifically identified, including\n      setting forth the steps needed to protect this data. In addition, incorporate\n      encryption use in related security policies and procedures.\n\n             Management Response: NCUA management agrees.\n\n             OIG Response: We agree.\n\n        6. Increase employee awareness with respect to responsibility for protecting PII\n           and other sensitive data.\n\n             Management Response: NCUA management agrees.\n\n             OIG Response: We agree\n\nD. Implement protections for remote access to PII\n\nNCUA has implemented some protections for remote access to PII such as\nestablishing a VPN requiring smart cards. However, the agency needs to\n\n\n5\n    This control has not been tested by the OIG since it was in the process of being implemented during our review.\n\n\n\n                                                                  9\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\nimprove policies and procedures for protecting remote access to PII and\nsensitive data.\n\nNCUA needs to specifically identify the types of PII that require remote access\nand the users authorized to remotely access PII. In addition, the policy and\nprocedures should contain the actions required to protect PII that is accessed\nremotely.\n\nNCUA established a VPN in 2000 requiring authentication using smart cards that\nare issued directly to each authorized user. Although the control requiring the\nsmart cards was temporarily disabled for several months subsequent to our\nreview, this control was reimplemented on October 12, 2006.\n\nDuring the FISMA 2006 audit, the following related weaknesses were identified that\ncould impact authorized access to PII and/or sensitive data:\n\n   \xe2\x80\xa2   User account reconciliations are not performed to ensure appropriate\n       authorized access\n   \xe2\x80\xa2   Users can use unlimited password attempts to gain access to local data\n       and users are not required to periodically change password.\n\nRecommendation:\n   7. When updating agency policies, ensure that PII with remote access is\n      specifically identified including what steps need to be taken to protect this\n      data.\n\n       Management Response: NCUA management agrees.\n\n       OIG response: We agree\n\n   8. Implement recommendations identified during the FISMA audit related to\n      privacy, such as performing user account reconciliations and tightening user\n      password policies to ensure appropriate authorized access.\n\n       Management Response: \xe2\x80\x9cThe user account reconciliation has been\n       completed. Existing password policies are appropriate.\xe2\x80\x9d\n\n       OIG response: We agree with the actions taken by NCUA.\n\n\nE. Encrypt all data on mobile computers/devices\n\nIn M-06-16, OMB recommends that all agencies, \xe2\x80\x9cEncrypt all data on mobile\ncomputers/devices which carry agency data unless the data is determined to be non-\nsensitive, in writing\xe2\x80\xa6\xe2\x80\x9d In a recent presentation by NIST officials, NIST stated that\n\n\n\n                                          10\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\nsensitive data should be classified Moderate or High triggering at least the moderate\nprotection controls outlined in NIST 800-53A.\n\nDuring the FISMA audit, the OIG identified several weaknesses where improvement\nwas needed in enforcing the use of encryption of sensitive examination data. We\nidentified sensitive data on examiner notebooks, external hard drives, CDs, and\npersonal USB drives that were not encrypted. Subsequent to our FISMA audit and\nPrivacy review, the OCIO has made some progress in protecting its sensitive data.\n\nNCUA currently uses the following types of encryption:\n\n       \xe2\x80\xa2   Windows XP on notebook computers,\n       \xe2\x80\xa2   Windows XP on external hard drives,\n       \xe2\x80\xa2   WinZip, and\n       \xe2\x80\xa2   Lenovo flash drives.\n\nAfter we initiated our Privacy review, the CIO sent several emails to users\nproviding instructions on encryption. In addition, the OCIO began to force an\nencryption process that applied encryption to select folders and files located on\nnotebook computers:\n\n       \xe2\x80\xa2   D:\\My Documents \xe2\x80\x93 every file and subfolder.\n       \xe2\x80\xa2   D:\\ncuaapps\\aires32\\exams - only the \xe2\x80\x9cexams\xe2\x80\x9d folder and its contents.\n       \xe2\x80\xa2   D:\\Outlook \xe2\x80\x93 every file and subfolder\n\nOnce the user initiated the encryption routine sent by the OCIO, the encryption\nwould occur automatically in the background on a daily basis. When you place\nor create files or folders in encrypted folders, they are automatically encrypted. If\nyou move a file or folder from an encrypted location to a non-encrypted location,\nthe encryption will automatically be removed from the file or folder. In addition, if\nyou move an encrypted file or folder to a CD or DVD, the encryption will\nautomatically be removed. During our review, the OCIO also emailed\ninstructions for encrypting the external hard drive with Windows XP.\n\nSubsequent to our review, the OCIO implemented a technical solution that\nverified if certain folders and/or documents are encrypted. This solution forced\nthe encryption on users that did not initiate the routine sent previously. If it finds\ndocuments not encrypted, it automatically encrypts the files without user\nintervention.\n\nThe OCIO provided WinZip to encrypt and password protect copies and/or\nbackups of sensitive files. NCUA recommends to its examiners the use of 256\nbit AES encryption with a minimum password 7 characters long and using three\ntypes of characters. The OCIO also began distribution of Lenovo flash drives to\nexaminers during the regional conference.\n\n\n                                          11\n\x0c       REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                       Report #OIG-06-10\n\n\nAlthough the OCIO implemented and distributed WinZip and Lenovo flash drives for\nencryption, neither of these products have been FIPS 140-2 validated. FIPS 140-2\n\xe2\x80\x9c\xe2\x80\xa6 is applicable to all Federal agencies that use cryptographic-based security\nsystems to protect sensitive information in computer and telecommunication\nSystems . . .\xe2\x80\x9d and provides a standard for Federal agencies when selecting\ncryptographic-based security systems for protecting sensitive data. FIPS 140-2\nvalidation provides assurance because products have been independently tested to\nensure they meet applicable standards. The following is an excerpt from NIST\nexplaining their position on unvalidated cryptography modules:\n\n               \xe2\x80\x9cUse of Unvalidated Cryptographic Modules by Federal Agencies\n              and Departments\n\n              FIPS 140-2 precludes the use of unvalidated cryptography for the\n              cryptographic protection of sensitive or valuable data within Federal\n              systems. Unvalidated cryptography is viewed by NIST as providing no\n              protection to the information or data \xe2\x80\x93 in effect the data would be\n              considered unprotected plaintext. If the agency specifies that the\n              information or data be cryptographically protected, then FIPS 140-2 is\n              applicable. In essence, if cryptography is required, then it must be\n              validated. \xe2\x80\x9c 6\n\nRecommendation:\n   9. Ensure any encryption products implemented or considered for\n      implementation comply with applicable laws and regulations, including FIPS\n      140-2.\n\n              Management Response: \xe2\x80\x9cIn the future, to the extent that we can find NIST-\n              certified products that meet our quality and performance requirements as well\n              as our schedule demands, we will ensure, to the best of our ability, that we\n              purchase certified products.\xe2\x80\x9d\n\n              OIG Response: We agree with the intent of NCUA\xe2\x80\x99s proposed action to\n              purchase certified products.\n\n        10. Update security policies and procedures with encryption instructions, user\n            responsibilities, and prohibit use of CDs, personal USB drives, and other\n            unencrypted media for storage of sensitive and/or PII data.\n\n              Management Response: NCUA management agreed.\n\n              OIG Response: We agree.\n\n\n\n6\n    http://csrc.nist.gov/cryptval/\n\n\n\n                                                12\n\x0c   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n\n\nF. Allow remote access only with two-factor authentication\n\nAt the time of our review, smart cards were not required for authentication to the\nVPN because they were temporarily disabled as a result of expired certificates.\nEffective October 12, 2006, the OCIO reimplemented smart card authentication\nfor the SWAP VPN.\n\nG. Use a time-out after 30 minutes inactivity\n\nWe determined that some remote access and mobile devices used by the NCUA are\nconfigured to require reauthentication after 30 minutes of inactivity. Notebook\ncomputers used by NCUA personnel are configured to time-out after 30 minutes of\ninactivity. However, we determined that Blackberry devices time-out settings can be\ncontrolled by the user. We also noted that applications used by the NCUA do not\nhave a time-out feature.\n\nRecommendation:\n   11. When Blackberry devices are issued, ensure they are configured so\n       reauthentication is required after 30 minutes of inactivity. In addition,\n       determine if the configuration can be locked down to prevent users from\n       changing the configuration.\n\n       Management Response: NCUA management implemented this\n       recommendation.\n\n       OIG Response: We agree with the actions taken by NCUA.\n\n\nH. Log all data extracts holding sensitive data and verify erased within 90 days\n\nThe OIG recognizes the difficulty associated with this control and agrees that if the\nresources exceed the benefits provided by this control and the agency has\nimplemented related controls contained in SP 800-53, SP800-53A, and OMB 06-16,\nsufficient protection would exist that would make this control redundant of better\ncontrols.\n\n\n\n\n                                         13\n\x0c                REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                           COMPLIANCE WITH OMB M-06-16\n                                 Report #OIG-06-10\n                                                                       Appendix A\n\n\n\n\nhttp://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf\n\n\n\n\n                                         1\n\x0c                 REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                            COMPLIANCE WITH OMB M-06-16\n                                  Report #OIG-06-10\n                                                                          Appendix B\n\nTO:           James Hagen, Assistant Inspector General for Audits\n\nFROM:         Sheila A Albin, Associate General Counsel & Senior\n                     Agency Privacy Official\n              Neil McNamara, Deputy Chief Information Officer\n\nSUBJ:         Comments on OIG\xe2\x80\x99s Review of NCUA\n              Compliance with OMB M-06-16\n\nDATE:         January 30, 2007\n\n\nIntroduction and Summary\n\nThis memorandum responds to the OIG\xe2\x80\x99s request, dated January 22nd, for\nmanagement\xe2\x80\x99s comments on its Draft Review of NCUA Compliance with OMB M-06-\n16 (Draft Review).\n\nWe generally support the recommendations in the Draft Review but, as discussed\nmore specifically below, management disagrees with or believes several of the\neleven recommendations require clarification. Several recommended actions were\nalready underway at the time of OIG\xe2\x80\x99s review in August 8 to September 22, 2006,\nand, as noted below, some were completed before the first Draft Review was\nprovided to management.\n\nThis memorandum also provides the following comments to clarify or correct certain\npremises and other statements in the Draft Review forming the bases for the\nrecommendations.\n\nDiscussion\n\nFor ease of reference, these particular comments track the order in which the subject\nor a statement appears in the Draft Review, not necessarily in order of significance.\n\nPage 1 and throughout. \xe2\x80\x9cPersonally Identifiable Information\xe2\x80\x9d\n\nUse of the phrase \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d (PII) understandably creates\nsome confusion because the definition used, which is the only one management\nbelieves OMB has provided, is applied to other legal requirements. The definition of\nPII quoted at page 2 of the Draft Review is an OMB definition in OMB M-06-19 that,\nas defined in that memorandum, applies to OMB\xe2\x80\x99s policy on reporting security\nincidents. This memorandum followed previous OMB issuances on information\nsecurity, including OMB M-06-16, the subject of the Draft Review. Although using\nthis definition in considering compliance with OMB M-06-19 is not objectionable, we\nnote that OMB M-06-19, itself, does not define PII.\n\n\n                                          1\n\x0c                           REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                                      COMPLIANCE WITH OMB M-06-16\n                                            Report #OIG-06-10\n                                                                                                                    Appendix B\n\nPII is not the same and should not be equated with the definition of a privacy record\nunder the Privacy Act. Also, PII is not defined in FIPS 199, \xe2\x80\x9cStandards for Security\nCategorization of Federal Information and Information Systems.\xe2\x80\x9d FIPS 199, in fact,\nhas a broader purpose stated as \xe2\x80\x9cinformation security,\xe2\x80\x9d not only information about\nindividuals.7\n\nThe second Draft Review now generally references PII and sensitive information\ntogether. Nevertheless, coupling the categories does not address the lack of clarity.\n\nAt page 5, the Draft Review notes the Privacy Officer is developing a plan for privacy\nand information security training. To clarify, the Privacy Officer met with\nrepresentatives of OHR and OCIO in 2006 to address training and revision of existing\nagency instructions on privacy and information security. It is, however, the Director of\nOHR, with \xe2\x80\x9cadvice from the General Counsel,\xe2\x80\x9d who is responsible for Privacy Act\ntraining. 12 C.F.R. \xc2\xa7792.69. In December 2006, OHR provided the Privacy Officer\nan outline of its plans to address Privacy Act training. The Privacy Officer anticipates\nOHR and OCIO staff will work together to develop appropriate training in information\nsecurity for agency employees.\n\nWe recommend the Draft Review note in some fashion (possibly a footnote on page\n5 and to recommendation #1) that the SOR has been updated, published in the\nFederal Register, and posted on the agency\xe2\x80\x99s website.\n\nAt page 6, the Draft Review states, in connection with noting that NCUA has\nperformed FIPS 199 categorizations of IT systems, that \xe2\x80\x9cthere needs to be an\nimproved process that compares information that may be identified in NCUA\xe2\x80\x99s SOR\n[Privacy Act Systems of Records Notice] wiith the FIPS 199 categorizations to ensure\nthat all PII and sensitive data are identified.\xe2\x80\x9d This statement is not clear but appears\nto state the current FIPS 199 categorization is inadequate in that it does not identify\nall PII and, further, that reviewing the systems of records identified in NCUA\xe2\x80\x99s Privacy\nAct notice would be helpful.\n\nWhile review of NCUA\xe2\x80\x99s SOR Notice may be helpful in reviewing the agency\xe2\x80\x99s FIPS\n199 categorization, we note that, both legally and operationally, the agency\xe2\x80\x99s\nresponsibilities and requirements for information security and Privacy Act compliance\nare different.\n\n\nOIG Recommendations\n\n1. Update privacy related policies in accordance with the Privacy Act, FOIA, and\n   applicable OMB guidance. Specifically, NCUA\xe2\x80\x99s Systems of Records notice has\n7\n  FIPS 199 requires categorization of information and information systems as having low, moderate, or high levels of risk in terms of\nthe security objectives of confidentiality, integrity, and availability. It gives examples of types of information that should be\ncategorized, such as \xe2\x80\x9cprivacy,\xe2\x80\x9d but does not define types of information.\n\n\n\n                                                                 2\n\x0c                  REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                             COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n                                                                              Appendix B\n   not been updated since Feb 2000 and the Privacy Instruction has not been\n   updated since its issuance in 1976. The agency has indicated that it is in process\n   of updating its SOR and the Privacy Instruction.\n\n   Comment: Reference to FOIA is inappropriate as noted above and a revised\n   Systems of Records Notice has now been issued. 71 Fed. Reg. 77807 (Dec. 27,\n   2006).\n\n2. Ensure that NCUA develops a policy addressing the protection of credit union\n   member data obtained during credit union examinations. Specifically identify CU\n   member data as sensitive PII as required by OMB.\n\n   Comment: NCUA already has several agency Instructions setting out agency\n   policy on information security, including the protection of sensitive credit union\n   data obtained in the examination process, for example, NCUA Instructions\n   13500.2, 13500.05, and 13500.06. OCIO acknowledges agency policy can be\n   improved and intends to update and consolidate several of these Instructions to\n   address information security, including more specific direction to employees on\n   safeguarding PII obtained in the credit union examination process.\n\n3. Verify that all sensitive and PII data has been identified by performing PIAs on\nModerate and High systems as required by NIST 800-53A and the E-Gov Act and\ncomparing sensitive and PII data identified in the SOR, data that may be subject to\nwithholding based on FOIA exemptions, FIPS 199 categorization, and PIAs.\n\nComment: The Draft Review discusses the necessity of performing privacy impact\nassessments (PIAs) and notes the key criterion for determining if a PIA is required is\n\xe2\x80\x9cwhere a system change creates new privacy risks.\xe2\x80\x9d Quoting from OIG\xe2\x80\x99s response to\nmanagement\xe2\x80\x99s comments on OIG 2006 Report to OMB on the NCUA\xe2\x80\x99s Compliance\nwith FISMA, the Draft Review states on page 7:\n\n       Since the inception of the E-Gov Act, NCUA has implemented several\n       changes to business process and technical solutions that meet the\n       above criteria [a system change creates a new risk] as changes\n       requiring an update or development of a PIA, including the distribution\n       of external hard drives to store credit union audit data that are stored at\n       the examiners\xe2\x80\x99 homes, an agency-wide update in operating systems\n       (from 2000 to XP), distribution of new notebooks, and partial\n       implementation of sensitive data encryption.\n\n       It is the opinion of the OIG that any one of the above changes\n       constitutes a change of the magnitude that requires the development\n       of a PIA.\n\n\n\n\n                                            3\n\x0c                   REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                              COMPLIANCE WITH OMB M-06-16\n                                    Report #OIG-06-10\n                                                                                 Appendix B\nManagement\xe2\x80\x99s view is the specifically cited examples did not create new risks. To\nthe contrary, three of the changes actually decreased the privacy risk, while the\nfourth had no impact on risk:\n\n\xe2\x80\xa2   The external hard drives issued to field staff automatically encrypt the data stored\n    on them. They replace the unencrypted media previously used by examiners for\n    data backup, such as CD-ROMs and flash drives, thereby reducing privacy risk.\n\xe2\x80\xa2   The Windows XP operating system is inherently more secure than Windows\n    2000; converting to Windows XP therefore decreased the security and privacy\n    risks to NCUA data.\n\xe2\x80\xa2   The distribution of newer, better notebooks to replace the old notebooks had no\n    impact on privacy risks.\n\xe2\x80\xa2   Implementation of encryption of sensitive data obviously decreases the privacy\n    risk.\n\nAt pages 6-7, the Draft Review quotes management\xe2\x80\x99s previous response to the 2006\nFISMA audit report. In brief, to avoid repetition, management\xe2\x80\x99s view continues to be\nthat PIAs are not required for systems in existence before April 2003 unless alteration\nto so-called legacy systems create new risks. The Draft Review correctly notes at\npage 5 that PIAs for new systems will be developed.\n\nThe core of management\xe2\x80\x99s disagreement with OIG may be over the meaning of the\nword \xe2\x80\x9csystem\xe2\x80\x9d and the criterion that there is an increase in risk.\n\nAs noted by OIG, NCUA has indeed conducted several procurements in recent\nyears, including the current notebook computers and the external hard drives for field\nstaff. OCIO\xe2\x80\x99s view is these were procurements of hardware, not systems. Our view\nis the word system generally means a software application that collects, processes,\nor produces data, including the PII that is at the heart of the discussion regarding\nPIAs.\n\nWhen NCUA replaced the notebook computers, the systems that process PII were\nall migrated from the old hardware platform to the new hardware platform. The\nsystems were not changed.\n\nNonetheless, as we have acknowledged previously, we recognize that conducting\nPIAs is a worthwhile endeavor, which we intend to undertake, resources permitting.\n\n4. Identify PII and include information protection needs for PII accessed,\n   transported, or stored remotely in agency privacy related policies.\n\n    Comment: Generally agree.\n\n5. When updating agency polices and procedures, the agency should ensure that\n   PII transported and/or stored offsite is specifically identified, including setting forth\n\n\n\n                                             4\n\x0c                 REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                            COMPLIANCE WITH OMB M-06-16\n                                  Report #OIG-06-10\n                                                                            Appendix B\n   the steps needed to protect this data. In addition, incorporate encryption use in\n   related security policies and procedures.\n\n   Comment: Generally agree.\n\n6. Increase employee awareness with respect to responsibility for protecting PII and\n   other sensitive data.\n\n   Comment: Generally agree.\n\n7. When updating agency policies, ensure that PII with remote access is specifically\n   identified including what steps need to be taken to protect this data.\n\n   Comment: Generally agree.\n\n8. Implement recommendations identified during the FISMA audit related to privacy,\n   such as performing user account reconciliations and tightening user password\n   policies to ensure appropriate authorized access.\n\n   Comment: The user account reconciliation has been completed. Existing\n   password policies are appropriate.\n\n9. Ensure any encryption products implemented or considered for implementation\n   comply with applicable laws and regulations, including FIPS 140-2.\n\n   Comment: When NCUA purchased encrypted flash drives for all field staff,\n   several constraints drove the selection. We needed a high quality product that\n   used the NIST standard encryption technology, worked with our existing\n   equipment, and was available in time for distribution at the Regional Conferences.\n   It should be noted that NCUA had a very narrow window of time between receipt\n   of OMB memo M-06-16 (dated June 23, 2006) and the NCUA Regional\n   Conferences held two months later.\n\n   We purchased sample drives from Lenovo, the manufacturer of our notebooks,\n   and Kingston, one of the industry leaders in high quality storage. The Kingston\n   product requires users to have administrative privileges, which made it unusable\n   in our environment. The Lenovo device required administrative privileges to\n   install on the machine, but not to use it, which is why we chose the device we did.\n\n   In the future, to the extent that we can find NIST-certified products that meet our\n   quality and performance requirements as well as our schedule demands, we will\n   ensure, to the best of our ability, that we purchase certified products.\n\n10. Update security policies and procedures with encryption instructions, user\n    responsibilities, and prohibit use of CDs, personal USB drives, and other\n    unencrypted media for storage of sensitive and/or PII data.\n\n\n                                          5\n\x0c                  REVIEW OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                             COMPLIANCE WITH OMB M-06-16\n                                   Report #OIG-06-10\n                                                                               Appendix B\n\n   Comment: Generally agree.\n\n11. When Blackberry devices are issued, ensure they are configured so\n    reauthentication is required after 30 minutes of inactivity. In addition, determine if\n    the configuration can be locked down to prevent users from changing the\n    configuration.\n\n   Comment: This recommendation has been implemented.\n\nConclusion\n\nThank you for the opportunity to comment. If you believe it would be helpful to\ndiscuss any of the comments before issuing your final Review, we are available to\nmeet or discuss them with your staff.\n\n\n\n\n                                            6\n\x0c"